Java has a security architecture that is intended to protect systems from malicious code. In particular, the Java security system includes an authentication subsystem and an authorization subsystem, which is known as the Java Authentication Authorization Service (JAAS). The JAAS authorization scheme is designed to ensure that only authorized code are granted access to the resources of a computer.
JAAS uses a security model that is code-centric or user-centric in combination with a policy file. In particular, JAAS primarily evaluates whether the code being executed can be trusted or whether the user of the code can be trusted. The policies for evaluating the level of trust to be granted to the code or user is then specified by the policy file.
However, this security model may not be enough for many enterprise applications. For example, an enterprise may want to use custom security repositories, such as LDAP (lightweight directory access protocol), a database, or another file system. Typically, this sort of custom security logic is implemented by writing customized modules or policy files that interface into JAAS.
Unfortunately, such modification of JAAS requires a good understanding of the modules and processes involved in JAAS. Although JAAS allows for customization of authorization and policies implemented, this customization requires a significant amount of coding to create proper classes and take care of both the configuration and policy files.
Accordingly, it would be desirable to provide an authorization framework that is easily configured to accommodate a custom security repository. It would also be desirable to provide an authorization framework that can allow access control mechanisms to be added or changed as needed.